Plant system I&C Integration plan
Contents
1. IDM UID iie oo ifi japan oro suia mes 3VVU9W VERSION CREATED ON VERSION STATUS 15 Apr 2013 4 6 Approved EXTERNAL REFERENCE IT Technical Specifications Plant system I amp C Integration plan This document describes the testing approach and methods and the organizational schemefor planning and performing the FAT and SAT for any ITER I amp C system Approval Process Name Action Affiliation Author Journeaux J Y 15 Apr 2013 signed IO DG DIP CHD CSD PCI Co Authors Reviewers Wallander A 18 Apr 2013 recommended IO DG DIP CHD CSD Yonekawa I 15 Apr 2013 recommended IO DG DIP CHD CSD PCI Approver Thomas P 30 Apr 2013 approved IO DG DIP CHD Document Security level 1 IO unclassified RO Journeaux Jean Yves Read Access AD ITER AD External Collaborators AD Division Control System Division EXT AD Section CODAC EXT AD Section CODAC AD Auditors project administrator RO LG CODAC team Change Log Title Uid Versio Latest Status Issue Date Description of Change n Plant system I amp C v4 6 Approved 15 Apr Similar version as for v4 3 a foramt issue fixed Integration plan 2013 3VVU9W v4 6 Plant system I amp C v4 5 Signed 15 Apr same as v4 2 plus format issues fixed Integration plan 2013 3VVU9W v4 5 Plant system I amp C v4 4 Signed 15 Apr2. When a function is allocated to a level of requirements then all Design requirement checked Design requirement checked equipment necessary to the achievement of this function shall Design requirement checked observe the corresponding requirements If an equipment is involved in functions of different levels then The plant system safety I amp C functions shall be allocated using the set of standard conceptual architectures given in this chapter Each plant system safety I amp C shall be represented by a composition of the set of standard conceptual architectures given in this chapter during the design phase Design requirement checked during the design phase Design requirement checked during the design phase Design requirement checked during the design phase The software specification shall describe in quantitative terms the performance criteria accuracy the time constraints response time and the dimensional constraints size of memory with the tolerances and the possible margins The derived functions introduced during the software development process shall be identified The consequences of the errors of these software functions shall be studied at the system level Derived functions shall be functions not expressed in the system specification but necessary for the functioning of the system for example functions of communication inherent to the internal Safety I amp C architecture of
3. v Deliverable D18 it is assumed all I amp C equipment as defined in PCDH and in the scope of the PA will be installed in cubicles and these cubicles will be compliant with the IO standards defined in PCDH see section 4 5 3 Hence D18 is the set of I amp C cubicles which are ready to be integrated in the plant system I amp C architecture The detailed HW configuration is given in D34 No I amp C cubicle is expected for procured equipment with configuration 3 D18 will be checked by the PS I amp C RO Deliverable D19 comprises the spare parts for I amp C maintenance The quantity and scope of the spare parts is normally specified in Annex B of the PA D19 will be checked by the PS I amp C RO against what is specified in Annex B of the PA Deliverable D74 gathers all of the hardware tools required to maintain non standard I amp C equipment Only R24 applies to this deliverable the scope is plant system specific and must be determined on a case by case basis D74 will be checked by the PS I amp C RO The PCDH rules to apply on HW deliverables are mentioned in Table 4 Additional details are given below I amp C equipment v v Check the compliance with IO standards of the equipment delivered using product catalogues SD12 to SD15 See rules R132 R133 and R157 Check the naming of I amp C equipment see rules R65 and R66 The cubicle enclosure the controller chassis and remote IO chassis slow and fast controllers the PSH an
4. Deliverable D32 is the set of SW documents and files produced with the engineering tools defined by IO in Section 4 4 of PCDH D32 is checked by the PS I amp C RO with the support of the CSD for compliance with the technical specifications and with PCDH requirements D32 must be delivered for I amp C equipment with configurations 1 and 2 Deliverable D34 is the set of technical documents for specifying the internal configuration and cabling of cubicles Satellite document SD24 is a guideline unless something falls within the scope of IO cabling rules RD2 This deliverable has a free format and is checked by the PS I amp C RO against the technical specifications against the cabling rules RD2 and any additional requirement related to the cubicle installation and environmental constraints see RD4 D34 must be delivered for I amp C equipment with configurations 1 and 2 The rules related to the selection of the hardware are checked in scope of campaign C2 D34 must include a bill of materials for the I amp C cubicle parts Deliverable D38 is the set of cabling drawings to be provided for cabling the I amp C cubicles to the plant system equipment and to CENTRAL I amp C infrastructure IO cabling rules apply RD2 to D38 it is checked by the PS I amp C RO for completeness and compliance with RD2 Deliverable D39 is the procedure for installation of all hardware and software packages provided The procedure must be detailed enough to b
5. acceptance phase in order to secure a functional restore state deliverables R2 Targets all life cycle doc D31 es Detailed descriptions text documents including structured lists in self description data format of Process control for any plant system operation state Process failure detection and strategy for process control I O treatments Data exchanges required for slow and fast controls Feedback controls HMI alarms and events Software architecture for these items with identification of related software modules and data exchange links Full software and configuration documentation as generated by the ITER IO prescribed engineering tools D34 1 Every document required for cubicle mounting air conditioning I amp C Deliverables Management I amp C manufacture Part of check under PS RO scope Targets IO standard controllers SCC and LCC Including I O cabling to all I amp C equipment assembly external and internal wiring earthing and powering Inventory of any equipment or component used for cubicle manufacturing including I amp C equipment with supplier identification and a supplier procurement reference Cabling documents for cubicle connection with I O cabinets I amp C Networks earth and power supplies 1 Procedure of installation configuration starting up and software and D38 D39 hardware completeness checks for the plant system I amp C in 3 4 3 particular for plant
6. supplies any I amp C equipment or software including spare units and documentation for the plant system in question The scope of the supply is defined in Annex B of the PA in kind procurement or the technical specifications when purchasing The configuration of the PSH and Mini CODAC is a task of the procurement I amp C SU therefore the procurement I amp C SU is assumed to be skilled in using CODAC tools The procurement I amp C SU executes the PS I amp C FAT and SAT plans Page 8 of 35 ITER D 3VVU9W v4 6 2 5 I amp C deliverables and rules to be considered throughout the plant system I amp C life cycle Phase Integrated Topic Design Manufacture and FAT Install SAT commissioning amp operation e DI Plant system I amp C architecture e 031 Functional specifications of the I amp C system developed within the e Update of all e DS Plant system controller s scope of the procurement deliverables performance and configuration e D32 SW documents and files specified in the section 4 4 of PCDH requirements 034 Technical documents for specifying the internal configuration and D65 SAT report e D6 List of inputs and outputs LO cabling of the I amp C cubicle of the I amp C controllers e D39 Procedure for installation of all hardware and software packages e D7 List of the Process Variables e D40 All original documents for mounting cabling configuring handled by the plant system I amp C operating and maintaining any I amp
7. REVIEW ONLY Plant system I amp C v1 0 Signed 29 Nov Integration plan 2010 3VVU9W v1 0 ITER D 3VVU9W v4 6 Document Revision History Version Status Date Changes 1 0 Draft 19 08 2010 Initial version issued in scope an engineering support contract 1 1 Draft 30 08 2010 Enhancements including outcomes of 23 of August review with JY Journeaux in Cadarache 1 2 Draft 17 09 2010 Draft issued for 2 review by CSD team 1 3 Ist 08 10 2010 Updates as per official Antonio Fernandez and Izuru Yonekawa review forms Version Outcomes of 24 of Sept review meeting in Cadarache 1 4 Updated 16 11 2010 Updated following JYJ comments stored in IDM with version 1 3 1 5 Updated 15 12 2010 Removed Pulse scheduling interface 2 0 Updated 15 04 2011 After this date the versions have been issued directly by IO JYJ changes for simplification plus alignment with PCDH v6 1 still interlock and safety areas to complete and review 2 1 In work 15 10 2011 Completion of chapter 4 still the inputs from Denis Bruno Nadine Petri Hitesh Antonio Jean Marc to incorporate 2 2 In work 04 04 2012 Scope enlarged to PS I amp C integration alignment with CODAC DDD for the integration scheme 3 0 In work 27 09 2012 A number of improvements in wording plus section 2 5 added C2 merged with C4 Campaign scenarios simplified 4 0 In work 12 12 2012 Version submitted to J
8. amp PCDH section Specification Safety I amp C Specification R259 Each function shall be described with at least the following fields Design requirement checked during the design phase R260 Each m shall be given a safety classification in the form of a Design requirement checked safety integrity level IEC 61508 based on one of the methods P i during the design phase indicated in the standard or equivalent R261 The following technical performance requirements shall be identified Design requirement checked for each function during the design phase For each function the list of environmental and or physical Design requirement checked constraints shall be identified during the design phase The O tional Safety Plant Safet t PSS OS shall ee eons SAE ety System sha Design requirement checked during the design phase provide I amp C Safety functions for the protection of the people and Design requirement checked during the design phase the environment against all conventional hazards The Plant Safety functions shall provide locally visual and audible The Plant Safety functions shall communicate all hazards warnings Design requirement checked All safety functions shall be designed on thg basis of their SIL Design requirement checked mm classifications 1 2 or 3 considering the instructions of the IEC n during the design phase Design requirement checked during the design phase 61508 standard
9. during the design phase The plant system I amp C shall maintain the status of all active alarms R81 Design requirement checked during the design phase and shall transmit any change of this status alarm raised alarm cleared The alarm shall carry information to the CODAC system to enable R82 alarm reduction not applicable to PSS The alarms shall be raised in accordance with the operating states R83 Design requirement checked This is needed to properly qualify alarms which are not significant in a given situation not applicable to PSS during the design phase An alarm shall contain A timestamp A severity An alarm R84 identifier T BD A process part identifier raising the alarm source Design requirement checked A text describing the condition that caused the alarm to be raised during the design phase R85 A log message shall include A time stamp A process identifier Design requirement checked according to the naming scheme A text explaining the event A during the design phase message level debug info warning error R86 The following log messages shall be recorded with their qualifiers in the logging system All timing PSH plant system Controller PLC or embedded system events or state changes All operations related to data configuration creation modification deletions of variables threshold change All transitions in operating states All commands sent by cen
10. amp C v2 4 Signed 18 Apr Minor changes Integration plan 2012 3VVU9W v2 4 Plant system I amp C v2 3 Signed 17 Apr Version issued after Anders and Izuru review Integration plan 2012 3VVU9W v2 3 Plant system I amp C v2 2 Signed 04 Apr Version completed by JY and requiring now the Integration plan 2012 veview completion of stakeholders mentionned in 3VVU9W v2 2 the text Plant system I amp C v2 1 Signed 14 Sep Intermediate version used in scope of CWS I amp C Integration plan 2011 meeting on 14th of September 3VVU9W v2 1 Plant system I amp C v2 0 In Work 08 Jul 2011 Still in work changes for simplification plus Integration plan alignment with PCDH v6 1 still interlock and 3VVU9W v2 0 safety areas to complete and review Plant system I amp C v1 5 Approved 09 Feb Version issued after PCDH v6 external review Integration plan 2011 3VVU9W v1 5 Plant system I amp C v1 4 Signed 09 Feb Updated following JYJ comments stored in IDM Integration plan 2011 with version 1 3 3VVU9W vl 4 Plant system I amp C v1 3 Signed 09 Feb Version after PCDH v6 external review Integration plan 2011 3VVU9W v1 3 Plant system I amp C v1 2 Signed 06 Jan Update of version number ready for PCDH v6 Integration plan 2011 review JP comments included 3VVU9W vl 2 Plant system I amp C 1 1 Signed 06 Jan THIS VERSION IS UPLOADED FOR PCDH v6 Integration plan 2011 DOCUMENTATION PACKAGE 3VVU9W v1 1
11. configuration of the interface If not check the configuration of the air inlet and outlet with respect to what was specified by IO Page 21 of 35 ITER D 3VVU9W v4 6 PCDH A Requirement Description Comments FAT SAT section title Ed x I a e amp PCDH section Plant System I amp C Life Cycle I amp C manufacture I amp C cubicles with internal wiring and all internal I amp C equipment I amp C spare parts list with appropriate specifications of storage space I amp C manufacture 3 4 3 and conditions Tools required for maintenance of any I amp C component For every test unit testing system and integration testing acceptance testing the version of the equipment being tested the 2 74 1 amp 1 amp Factory version of the test specifications being used and for acceptance testing the version of the design specification being tested against shall be recorded Acceptance Tests R24 3 4 4 The procurement I amp C supplier shall provide all necessary hardware and software tools and configuration files for FAT Targets all configurable I amp C equipment X X Includes the tools used to configure and maintain the X sensors and actuators Specification Plant System I amp C Architecture I amp C Naming Conventions A convention for uniquely identifying parts and components fo
12. of 35 ITER D 3VVU9W v4 6 PSH Plant System Host PSS Plant Safety System PSE Plant System Equipment PS I amp C RO Plant System I amp C Responsible Officer PV Process Variable RIO Remote IO chassis RO Responsible Officer SDN Synchronous Data bus Network SDD Self Description Data SIL Safety Integrity Level SSEN Steady State Electrical Network SW Software package TBC To Be Confirmed TBD To Be Defined TCN Time Communication Network 1 3 Conventions Throughout this document mandatory rules or requirements are enumerated and prefixed with R Non mandatory guidelines or recommendations are enumerated and prefixed with G The table below provides a list of paragraph identifiers used in this document AD Applicable Document D Deliverable for a lifecycle phase G Guideline Recommendation R Rule Requirement RD Reference Document SD Satellite Document Paragraphs marked with TBD or TBC represent work in progress which will be confirmed and expanded further in subsequent releases of this document 1 4 Reference documents The following documents are cited in this document RD1 RD2 RD3 Plant Control Design Handbook 27LH2V IO cabling rules 335VF9 ITER On Site Testing Strategy 44U2Y4 RD4 ITER Policy on EEE in Tokamak Complex 6ZX6S3 SD1 SD2 SD3 SD4 505 Plant System I amp C Architecture 32GEBH Methodology for PS I amp C sp
13. sensors actuators or any controller embedded in the equipment This configuration is typically used when the plant I amp C system is purchased by IO A typical example is the Magnet system See Figure 2 1 PA3 PS I amp C CODAC networks CODAC networks Controller Controller Controller Controller Controller EAE Signal Signal Signal Signal Signal Signal interface interface interface interface interface interface Signal Signal interface interface PA2A exe eee es Figure 2 1 I amp C configuration types 2 4 I amp C actors for FAT and SAT Several actors are involved in FAT and SAT for I amp C Those introduced in this document are e Plant System I amp C Responsible Officer PS I amp C RO IO client of the I amp C system He she provides the plant system inputs throughout the design process He she reviews the plant system I amp C design provides the PS I amp C FAT and SAT plans reviews and approves the results of the PS I amp C FAT and SAT He she is supported by the ITER Control System Division CSD for checking compliance with PCDH requirements and implementation of CODAC solutions e Procurement I amp C Supplier I amp C SU
14. system I amp C Several plant system I amp Cs may be required to control a plant system and then several integration processes might be required to integrate a plant system in CODAC systems See SD1 for definition of the plant system I amp C As a consequence of the ITER procurement model and also from the plant system I amp C perspective it is necessary to also consider the unit of procurement the PA in the plant system I amp C integration model Therefore the model of I amp C integration starts at PA level and ends up at plant system I amp C level The starting point of the integration is the completion of the Factory Acceptance Tests FAT From that point on the ITER model for on site testing applies see RD3 for further details This model introduces the following sequence site delivery site reception assembly component tests system tests system commissioning ITER integrated commissioning The Site Acceptance Test SAT is when IO decides whether to accept or reject the component on the basis of the test results The SAT will be initiated at site reception and will terminate at system commissioning Note the final acceptance by IO of the procurement package may require additional tests to be executed during ITER integrated commissioning typically the case for performance tests and compliance with environmental conditions This document will focus on the procedures to be executed on the procurement package during the FAT
15. C equipment controllers e D41 Drawings showing the complete path of I amp C signals from the e D8 Configuration of I amp C cubicles sensors actuators up to the signal interfaces of the I amp C controllers e D9 Specifications of plant system e D42 Calibration factors for the sensors and the actuators PCDH operating state machines e D43 Extension of D40 for specifying the installation operation and maintenance deliverables for D44 and 071 Short term D44 and long term maintenance and None None I amp C obsolescence management D71 D48 Certificates of conformity of the I amp C equipment D20 Self Description Data as described in and SD4 e D26 mini CODAC configuration as required for the operation of the system using CODAC systems and infrastructure D18 I amp C cubicles procured within the scope of the PA D19 I amp C spare parts for maintenance e D74 is gathering all hardware and software tools required to maintain non standard I amp C equipment e D72 user software developed in the scope of the I amp C for active control monitoring simulation and testing purposes D50 FAT report PCDH rules for Related rules are mentioned in sect Related rules mentioned in sect 7 Related rules are I amp C 8 None mentioned in sect 7 None Page 9 of 35 ITER D 3VVU9W v4 6 3 Details of the FAT for I amp C systems 3 1 FAT objectives for I amp C and entering FAT The objectiv
16. DH Requirement description refer to the Test Comments FAT SAT section title approved document for details req PCDH section Plant system I amp C Design Philosophy R67 The signal identifier shall satisfy the following naming convention The signal identifier is made of three parts R70 The plant system I amp C shall implement the following functions Design requirement checked during the design phase R71 All information issued from the process shall be supplied with an identifier a time stamp and a quality flag including error B OIM 98 B Design requirement checked identification in case of error Units and full name of the i A x during the design phase information may not be required in the dynamic data if defined in the associated static meta data R73 Calibration factor and conversion formula shall be configurable Design requirement checked during the design phase The plant system I amp C shall be able to manage different control Design requirement checked Specification I amp C Naming Conventions Components Naming Conventions PS I amp C SW specifications Functional requirements R79 types such as the state machines the high level commands issued by the CODAC system towards the process the unitary commands for test purposes the plant system local control loops and the configuration commands from the CODAC system not applicable
17. Design requirement checked during the design phase Design requirement checked during the design phase Design requirement checked during the design phase I amp C shall be built using standardized architectures that are made of standard equipment in order to meet the specified functional and Az N N N N ESS reliability requirements This equipment sensor safety calculator processing logic network actuator module shall be defined later in accordance with the functions to be performed Slow Interlock PLCs have already been defined Inviolability implies that everything should be implemented to restrict the risks of errors during periodic test operations corrective maintenance operations modifications of the installation The equipment shall be designed to restrict the interventions required on the equipment for maintenance or preventive tests to the minimum by anticipating at the design stage the necessary means and interfaces for the performance of these tests The equipment shall be fitted with specific access and intervention rules The level of redundancy shall be set to reach the specified objectives Design requirement checked during the design phase Design requirement checked during the design phase Design requirement checked during the design phase Requirements attached to the design phase to be checked during E N N oo R230 for reliability and availability I
18. Introduction of the plant system I amp C central I amp C Integration plan 2013 interface tests in IO CSD lab 3VVU9W v4 4 Plant system I amp C v4 3 Approved 17 Jan Version reviewed for quality Technical content is Integration plan 2013 not changed with respect to 4 2 3VVU9W v4 3 Version issued in scope of PCDH v7 Plant system I amp C v4 2 Approved 08 Jan Satellite document of PCDH Version released in Integration plan 2013 scope of PCDh v7 Two format issues fixed v4 0 3VVU9W v4 2 if typeof editorarray object 1 editorarray push TabPlaceHolder_DocumentView 1_ctl01_ctl00_ctl00_ctl16 ver description Plant system I amp C v4 1 Signed 08 Jan Satellite document of PCDH Version released in Integration plan 2013 scope of PCDh v7 3VVU9W v4 1 if typeof editorarray object 1 editorarray push TabPlaceHolder DocumentView 1_ctl01_ctl00_ctl00_ctl16 ver description j One format issue fixed v4 0 Plant system I amp C v4 0 Signed 08 Jan Satellite document of PCDH Version released in Integration plan 2013 scope of PCDh v7 3VVU9W v4 0 Plant system I amp C v3 0 Signed 12 Oct A number of improvement in wording Integration plan 2012 simplification section 2 5 added campaign for 3VVU9W v3 0 SDD merged to SW campaign Scenario reduced by pushing most of the requirement check at design and manufacture phase Plant system I amp C v2 5 Signed 26 Apr Some improvement for SAT scenario Integration plan 2012 3VVU9W v2 5 Plant system I
19. Poole review 43 Final 17 01 2012 Version issued in scope of PCDH v7 4 4 Final 23 01 2013 Introduction of SDD tests in chapter 3 4 5 Final 12 03 2013 Introduction of interface tests in chapter 3 ITER D 3VVU9W v4 6 Table of Contents 3 1 1 Docunient pur POSE 3 MEE UIDI CERT 4 1 3 amp Peer D 5 L4 Reference documents oue eiecti EOD eipe cies 5 2 the model of integration of I amp C systems omar 7 2 1 The Plant System I amp C cscccscssdssesasssscesosaseissecndecoevesdeuedecesssdonssisesvoovaarensenses 7 2 2 Plant system I amp C integration model c eeeeee esee eene eene eerte netten se 7 2 3 I amp C system configuration types for the procurements eeeeeeee eene eren eee 8 2 4 I amp C actors Tor and oo DN aola ep beni o Ee EPe 8 2 5 I amp C deliverables and rules to be considered throughout the plant system I amp C MAGE Y CIE Mp H PN 9 3 Details of the FAT for Tic G SUSEBBa e ciate cea cick nate be a Mec beta ecce Gl ba ree ad 10 3 1 FAT objectives for I amp C and entering FAT eee eese eerte ee eren eee nn nne 10 3 2 Scope of FAT for I amp C Systems sasscccss
20. R112 R120 R121 R122 R123 R124 E Z N Un ITER D 3VVU9W v4 6 Requirement description refer to the approved document for details Access to the plant system I amp C shall be through approved access points and shall be in agreement with the ITER site security requirements This encompasses both the physical access and the access through networks ITER security requirements are described in TBD R100 isi Plant system I amp C shall restrict access to authorised systems people The availability of the plant systems I amp C shall be compliant with the RAMI requirements of the plant system Each CPU s load ratio of the processor module shall be less than 50 on average in any 10s period Usage of main memory shall not exceed 50 any period Network and bus loads shall not exceed 50 in any 10 seconds period and for Ethernet based on the CSMA CD principle it shall not exceed 30 Duration for update of information from sensors to the Plant Operation Network shall be less than 1 sec for PSS this is only applicable to communication between PSS and CSS Plant system I amp C participating in the diagnostics or plasma feedback control shall have specific performance requirements not applicable to PSS Communication between PS fast controllers and PSH shall use EPICS Channel Access The SDD consist of Plant system I amp C unique identification Command list Al
21. ables are expected to be reviewed at FAT 2 All HW related rules are expected to be checked at FAT except the rules R59 R312 R313 and R315 which will be checked at SAT 3 All SW related rules are expected to be checked at FAT Page 11 of 35 ITER D 3VVU9W v4 6 5 Details of SAT for I amp C systems 5 1 SAT objectives for I amp C From the CENTRAL I amp C perspective FAT target the plant equipment and SAT the plant system I amp C Therefore the SAT objective is to check the readiness of the plant system I amp C for integration with CENTRAL I amp C systems and infrastructure and to check the readiness of the plant system I amp C for integrated commissioning 5 2 Scope of SAT for plant system I amp C The scope of SAT is identical to that of the FAT but extended to the plant system I amp C in particular where plant system I amp C comprises several procurements Some things may not be carried out during the FAT and as a consequence shall be transferred to the SAT The ultimate goal is to have checked all PCDH requirements by the completion of the SAT By convention nothing is redone at the SAT when it has already been satisfied during the FAT and there is no I amp C configuration change from FAT to SAT Therefore the C1 campaign for documentation is not expected to be redone at SAT The SAT is organized in three steps component tests and system tests as specified by RD3 and a third step for connection to the CENTRAL I amp C infrastruc
22. and on plant system I amp C during the SAT in order to integrate the plant system I amp C with CODAC systems Page 7 of 35 ITER D 3VVU9W v4 6 2 3 I amp C system configuration types for the procurements See SD1 for definition and configuration of the plant system I amp C There are three I amp C configurations of procured equipment as a consequence of the procurement model and plant system sharing e Configuration The interface for I amp C is the CODAC infrastructure as defined in PCDH This configuration is the IO standard model the equipment is delivered as standalone plant system I amp C which is ready to be integrated Typical examples are the buildings the liquid nitrogen cryoplant the heating and diagnostic neutral beam facilities and some diagnostic systems See Figure 2 1 PAI e Configuration Z2 The interface for I amp C is still the CODAC infrastructure as defined in PCDH but the procurement is a part a more extended plant system I amp C The I amp C procurement is still delivered as a PCDH compliant system including a PSH and a mini CODAC like configuration 1 but this configuration assumes some integration work will be performed by IO to complete the integration of the PS I amp C e g merging of mini CODAC and PSH configurations Typical examples may be found in the cryogenics and the water cooling plant systems See Figure 2 1 PA2 e Configuration 3 The interface for I amp C is reduced to the signals provided by the
23. arms list Set points list Plant system 1 amp design limits Physical raw signals list I O Processed converted signals list Data streams list Logging messages list Definition of the plant system I amp C state machine in accordance with the defined plant system operating states Definitions of plant system I amp C HMI Initial values for run time configuration used for plant system I amp C start up Identification of source codes and binary packages of the plant system I amp C specific software Documentation As a general principle there shall be no hidden knowledge in the plant system I amp C configuration Whatever action is needed to configure the plant system I amp C from scratch it shall be an integral part of SDD at least in the form of documentation Plant systems I amp C shall always be in central control mode during normal operation Central control is always done through the CODAC system operator or plant system operator from the MCR As far as possible the monitoring of the plant system by the CODAC system shall be maintained when the plant system is in local control and the state of the plant system shall reflect the control mode to be local Page 29 of 35 Comments Design requirement checked during the design phase Design requirement checked during the design phase Design requirement checked during the design phase Design requirement checked during the design phase Des
24. as not yet been executed Y The reference to any issue sheets raised for each campaign When an issue of Severity Level 1 is encountered the IO and DA representatives for in kind procurement may decide either to stop the acceptance process if they consider that the consequences of the defect are either too important or that the remaining tests would not be valid or to continue it Issues of Level 2 and Level 3 do not stop the acceptance process If the number of issues encountered requires the delivery of a new release to fix them IO and DA representatives and the supplier have to define and agree on the following The set of tests or checks to be re executed for validating the fix The aim is to demonstrate that the fix does actually solve the issues it is supposed to address Page 14 of 35 ITER D 3VVU9W v4 6 Y The list of test scenarios to be re executed as part of the non regression testing based on an analysis of the potential impact of the fix on other parts of the system The aim is to demonstrate that the fix does not compromise the other parts of the system The progress of factory acceptance can be assessed by means of indicators maintained in the FAT and SAT reports Y Campaigns executed Y Campaigns passed partially passed blocked Y Campaigns not yet executed 6 3 Acceptance criteria Acceptance criteria should be globally defined at project level by IO in order to ensure consistency across all the acceptance r
25. be checked at FAT but at x earlier stage for risk mitigation Bondering Powering R199 Bondering Powering Environment Location and Volume EE R179 I amp C equipment shall comply with the environment conditions of the location at which they will be installed If not a suitable Environment protection shall be defined for the I amp C equipment Such conditions Integration requirement to be B concern magnetic fields neutron flux electromagnetic radiation X checked at SAT Location and vibration coming from other equipment or seismic event Volume temperature and humidity Plant system I amp C shall use Class IV power supply as defined in EDH RD4 single phase for conventional cubicles The PIS and PSS will use Class II IP and may be backed up by Class IV see x chapter 6 and 7 of that document Integration requirement to be checked at SAT 4 5 6 R159 2 The ITER cabling rules apply to signal cabing I amp C Signal st Cabling Rules 4 5 7 Access to the instrumentation cubicles and junction boxes shall be sufficient to allow installation of testing and calibration equipment X Management R180 Integration requirement to be checked at SAT Table 4 Deliverables and rules for campaign C2 Page 22 of 35 7 5 ITER D 3VVU9W v4 6 Campaign C3 configuration data and software Campaign purpose This campaign checks that the PCDH rules applicable to I amp C software SW packages are me
26. cable to campaign C1 are the general IO rules for documents In addition rules R18 R20 R21 R22 R43 R44 R45 and R46 for document management and quality apply see Table 3 for details The deliverable documents mentioned above can be merged together for optimization of delivery purposes If so these documents must include a mapping table between PCDH deliverables and sections and the delivered documents Page 19 of 35 ITER D 3VVU9W v4 6 PCDH A z Requirement Description Comments FAT SAT section title PCDH Req PCDH section Plant system I amp C Design Philosophy Plant System I amp C Life Cycle Development Management be recorded with at least the output identifier name the type the description the current version and the status not built built R18 2 Outputs or deliverables shall be identified and managed to ensure that 10 and involved DAs know that they have the correct version and shall be advised of any changes and or deficiencies Each output shall i Targets all life cycle deliverables reviewed and approved leliverables sha traceable to their parent output as well as to argets all life cycle doc R20 2 All deli bles shall be ibl heir p Il Targ Il life cycle di their relevant specification and design item deliverables leliverables in electronic format shall be backed up after the Targets all life cycle doc R2 2 All deliverables in el ic f hall be backed up after th g
27. ciated variables are simulated forced in the controller The procedure to apply is o Health monitoring data The procedure to apply is TBD o COS management The procedure to apply is TBD Time synchronization over TCN The procedure to apply is TBD Data over SDN The procedure to apply is TBD Dataover DAN The procedure to apply is TBD Dataover AVN The procedure to apply is TBD Dataover CIN The procedure to apply is TBD Dataover CSN The procedure to apply is TBD Page 25 of 35 ITER D 3VVU9W v4 6 E Fk E E 5 8 e 2 NE Requirement Description Comments z section title o A Plant System I amp C Life Cycle I amp C manufacture en D39 1 Procedure of installation configuration starting up and software and 1 amp hardware completeness checks for the plant system I amp C in X en manufacture particular for plant system specific components non standard components 1 amp Acceptance Tests The results of SAT shall be recorded and retained in the lifetime records of the ITER plant Any failures during SAT shall be investigated and the cause and rectification of the failure documented in the SAT report Ee is performed with Mini CODAC Mini CODAC may be Eike by specific tools for the PIS and PSS 1 amp Data links with Mini CODAC not tested during FAT shall be tested Acceptance during SAT See SD6 for details for FAT e Tes
28. cked Network see section 5 3 8 to communicate audio video signals if during the design phase applicable Plant system I amp C shall implement an interface read and write data Design requirement checked to the central interlock system if applicable during the design phase Plant system I amp C shall implement an interface read and write data Design requirement checked to central safety systems if applicable during the design phase Design requirement checked Design requirement checked Design requirement checked Design requirement checked Design requirement checked Design requirement checked Design requirement checked Design requirement checked Design requirement checked Design requirement checked Design requirement checked Design requirement checked Design requirement checked Design requirement checked Design requirement checked Every plant system I amp C shall be connected to PON Only IO certified SDN interfaces shall be connected to SDN Specific hardware and software required by SDN interface is supplied by IO The SDN interface is located in the plant system controller Only IO certified TCN interfaces shall be connected to TCN Specific hardware and software required by the TCN interface is supplied by IO The TCN Interface is located in the plant system controller Only IO certified AVN interfaces shall be connected to AVN Specific hardware and software re
29. cles and is virtualized in CENTRAL I amp C systems If several plant system I amp Cs are involved in the control of the plant system an additional step targeting the integrated operation of these plant system I amp Cs will be performed following the completion of each individual This integrated operation is performed from the main control room under the responsibility of the PS I amp C RO who will specify the scope and the procedure for these tests Page 13 of 35 ITER D 3VVU9W v4 6 6 I amp C Acceptance Principles 6 1 Issue management During the execution of tests any deviation from the expected result must be captured in a uniquely identified issue sheet All the information related to the investigation of the root cause of the issue and all the remedial actions must be recorded in the sheet The PCDH rules in Section 7 2 apply for any deviation from PCDH rules Issue sheets must be recorded electronically and archived using the IO issue tracking tools at least A severity level value must be assigned to each issue reported as follows e Severity Level 1 major issue that must be fixed before shipping of the procured equipment to the ITER site e Severity Level 2 an issue that may be fixed on the ITER site before the system commissioning e Severity Level 3 minor issue acceptable for I amp C integration to CENTRAL I amp C infrastructure may be fixed later but before the final acceptance by IO The issue sheet will monitor the p
30. d switches and all external cables connected to the cubicles must be labelled and named accordingly The guidelines for cubicle tagging are given in SD24 and for cable tagging in RD2 Check the conformity of the I amp C HW configuration with the rules related to reserved slots and load ratios Rules R105 and R107 must be checked for each controller configuration slow and fast Rule R106 must be checked against the cubicle HW configuration for the space remaining available for HW extensions Physical interface with the plant system equipment signals v Cables and cabling Rule R159 Check the compliance of the cabling interface and the cubicle cable entries with the cabling rules of RD2 Physical interface with IO infrastructure at the limit of the scope of PCDH v v v Mechanical interface with the building Check the cubicle fixings against what was specified by IO Power supply check that the power supply configuration is as specified in rule R199 Environmental condition compliance rule R179 must be considered at design phase but may be assessed again at the installation phase Cubicle configuration with respect to access for maintenance rule R180 this point is related to the configuration of the doors Check that he cubicle door configuration and access to internal equipment conforms with what was specified by IO Cubicle cooling if some connection to an external cooling device is required check the
31. ding alarms shall be less than ten Plant System Slow Controller R13 1 Slow Controllers shall use the ProfiNet field bus within their architecture up to the input output card The interface between PSH Design requirement checked PON and slow controllers shall be standard Ethernetcontrollers shall during the design phase be standard Ethernet R366 Plant System I amp C Hardware Specification Plant System st Slow Controller I amp C Cubicles en The I amp C cubicles shall comply with ITER EMC and radiation polic v3 I amp C Cubicl R161 d Design requirement checked luring the desi ase ubicies during the design ph I amp C Signal Cabling Rules R312 A particular plant system I amp C signal shall not be connected to p different plant system I amp Cs If requested by several plant system Design requirement checked ES I amp Cs the corresponding data shall be transmitted through the I amp C during the design phase networks E R313 Direct cabled connections of m signals from a plant system I amp C Design requirement checked B to another plant system I amp C inside the same plant system or during the design phase 3 between two different plant systems are not allowed R314 If the PSE and the I amp C cubicle connected to it are not in same T building or are located in the same building but far away from each Design requirement checked other then an optical fibre device shall be used during th
32. e Plant System design it will be treated as an exception ga The plant safety system I amp C lifecycle and development processes will follow the requirements of IEC 61508 Design requirement checked Design requirement checked Design requirement checked Design requirement checked during the design phase Design requirement checke quirement checked during the design phase Design requirement checked Design requirement checked Design requirement checked To be checked by Jean Marc The software infrastructure for Occupational Safety I amp C software shall be based on Siemens COTS operating systems and applications that comply with the assigned SIL level up to SIL 3 61508 To be checked by Jean Marc Design requirement checked during the design phase To be checked by Jean Marc To be checked by Jean Marc Design requirement checked during the design phase Design requirement checked during the design phase Design requirement checked during the design phase Design requirement checked during the design phase Page 34 of 35 ITER D 3VVU9W v4 6 PCDH section title Requirement Description Comments FAT SAT PCDH section PCDH Req Severity level Deviations Policy equests for deviations from and non conformance with the R281 Req for deviations fi d f ith th requirements of the ITER Plant Control Design Handbook shall be made to the IO i
33. e design phase E o R315 All the electrical cables used for transport of I amp C signals will be d single or multiple twisted pairs Exceptions to this rule may apply Design requirement checked for high frequency and high voltage analogue signals transmitted during the desi lias over a short distance For such signals coaxial cables are eed Brae recommended Signal Interface R318 The ITER standards for I amp C signals to be interfaced on ITER Design requirement checked standard I amp C controllers are as follow during the design phase R309 Design requirement checked during the design phase 310 The IEC 61000 5 2 technical standard is applicable for bonding of Design requirement checked I amp C components during the design phase R306 Use by temporary external equipment NO external equipment should be plugged into the socket strips of the I amp C cubicles The AS gt Operation requirement exception to this is diagnostic and test equipment which may be connected for a limited time Environment Location and Volume Management Integration requirement to be checked during design and manufacture phases ignal interfa ui Signal interface Bondering Powering AILI amp C cubicles shall comply with ITER policy for maintenance procedures powering and earthing cable identification 4 5 6 Bondering Powering R178 The location of the instrumentation c
34. e diagnostic coverage shall be defined in accordance with the safety failure fraction required for the safety integrity level of the equipment See IEC 61508 2 87 4 3 1 4 Design requirement checked during the design phase Page 32 of 35 ITER D 3VVU9W v4 6 PCDH section title Requirement description refer to the approved document for details Comments E e Q PCDH section Specification Interlock I amp C Specification Interlock I amp C Architecture R325 Each PIS sends to the CIS Its own state The PIS commands sent to the process The signals used by CIS or other PIS for making Design requi t checked decisions The information to be displayed on CIS operator desks ee E during the design phase The information enabling PIS monitoring and PIS data archiving o The CIS sends to the PIS CPI commands related to this PIS Design requirement checked g R326 gn req E during the design phase 5 g gn p o R327 Interface between PIS and CIS relies on CIN Design requirement checked 5 during the design phase a R328 CIN is built redundant Design requirement checked Oo during the design phase g R329 All the PIS are synchronised on an ITER central clock Design requirement checked Ad during the design phase 8 R330 Inter PS communication between PS flows through CIS using CIN There may be some hardwired links between Plant Interlock Systems 4 DR Design requ
35. e of the plant system I amp C FAT from the CENTRAI I amp C perspective is to check the readiness of the PA for integration with the CENTRAL I amp C Procured PA is considered as ready for the FAT if the following criteria are met Y The CENTRAL I amp C interface data has been made available and updated in the IO Self Description Data SDD repository Y The PCDH requirements specified for checking during design and manufacture phases are met Y The FAT plan is defined and agreed by all parties The FAT plan must cover all I amp C systems interfaced to CENTRAL I amp C for conventional interlock and safety controls Y software deliverables are stored in the correct IO repository Y The component list bill of materials is issued and it identifies all I amp C deliverables as specified in PCDH Y All of the certificates required are available Y The mini CODAC system is configured and ready to proceed to the FAT Y supplier is ready to proceed FAT for I amp C will target the remaining PCDH requirements to be checked on the relevant deliverables 3 2 Scope of FAT for I amp C systems It is proposed to split the FAT for I amp C into four campaigns as listed below Cl I amp C documentation C2 I amp C hardware C3 I amp C configuration data and software C4 I amp C functional requirements Each campaign is determined by the PCDH requirements and the I amp C deliverables which have to be checked A non compliance severi
36. e used in the scope of campaign C4 to check the capability of IO to replace any I amp C hardware parts and reinstall any software package D39 is checked against a CSD template for completeness in the scope of the campaign template is Deliverable D40 comprises all original documents provided by I amp C equipment suppliers concerning mounting cabling configuring operating and maintaining any I amp C equipment A non exhaustive list of I amp C equipment is I amp C controllers and parts of controllers chassis boards signal interfaces and power supplies network interfaces and switches cubicles and accessories including cubicle heating ventilation and air conditioning HVAC and monitoring systems It is assumed a bill of materials 1s provided by the procurement supplier the PS I amp C RO checks the completeness of D40 with respect to the bill of materials Deliverable D41 in addition to the cabling diagrams used for on site installation D41 is the set of drawings showing the complete path of I amp C signals from the sensors actuators up to the signal interfaces of the I amp C controllers The path is through junction boxes signal conditioning devices terminal blocks and other power supplies involved in the generation of the signals The purpose is to facilitate signal failure analysis by providing a complete picture of the signal route for each I amp C signal D41 is checked by the PS I amp C RO Deliverable D42 concerns the calib
37. ecifications 353AZY I amp C signal and variable naming convention 2UT8SH Self description schema documentation 34QXCP The CODAC Plant System Interface 34V362 Page 5 of 35 SD6 SD7 SD8 SD9 SD10 SD11 SD 12 SD 13 SD 14 SD15 SD 16 SD17 SD 18 SD19 SD20 SD21 SD22 SD23 SD24 ITER D 3VVU9W v4 6 PS I amp C integration plan this document 3V VU9W ITER operator user interface 3XLESZ ITER alarm system management 3WCD7T I amp C signal interface 3299 VT PLC software engineering handbook 30PLAH Software engineering and QA 2NRS2K Slow Controller catalogue 333J63 Guidelines for fast controllers 333K4C Fast Controller products catalogue 345X28 Cubicle products catalogue 35LXVZ Guidelines for the design of the PIS 3PZ2D2 CWS case study specifications 35W299 ITER CODAC glossary 34QECT ITER CODAC Acronym list 2LT73V CODAC Core System Overview 345075 Plant Control Design Handbook for Nuclear control systems 2YNEFU Management of local interlock functions TBD Guidelines for diagnostic data structure and plant system status information TBD Guidelines for I amp C Cubicle Configurations 476HUG Page 6 of 35 ITER D 3VVU9W v4 6 2 The model of integration of I amp C systems 2 4 The Plant System I amp C life cycle The plant system I amp C life cycle is detailed in PCDH RD1 Section 3 This life cycle includes the following phases for a
38. elated activities and project milestones including the FAT In the interim the following criteria can be proposed for FAT and SAT acceptance for I amp C Test campaign execution rate this is the rate of campaigns which have been fully executed A campaign is considered fully executed when all its procedures have been executed i e the campaign execution result is either Fully Passed or Partially Passed v Number of issues with Severity Level 1 Y Number of issues with Severity Level 2 v Number of issues with Severity Level 3 The acceptance is validated when Y Test campaign execution rate is 100 v Allissues with Severity Level 1 have been fixed and validated for FAT v Allissues with Severity Level 2 have been fixed and validated for SAT The acceptance might be provisionally validated when Y The campaign execution rate is 100 Y issues with Severity Level 1 and all unacceptable issues with Severity Level 2 have been fixed and validated Y remaining Severity Level 2 issues are such that they do not make the use of the system unreasonable in an operational mode Issues of level 3 cannot lead to a refusal of acceptance Page 15 of 35 ITER D 3VVU9W v4 6 7 Campaign details for FAT and SAT 7 1 The PCDH requirement mapping matrix The PCDH mapping matrix of requirements provides a mapping between PCDH requirements and Y associated severity level for acceptance Whether any test is required for check
39. fically developed for the I amp C for active control monitoring simulation and testing purposes FAT SAT any other tests D72 includes all configuration data files used to configure the I amp C equipment installed in the I amp C cubicles but also the sensors and actuators D72 does not include the Self Description Data identified as deliverable D20 in the PCDH D72 will be checked by the PS I amp C RO with the support of the IO CSD Deliverable D74 comprises all of software tools required to maintain non standard I amp C equipment Only R24 applies to this deliverable the scope is plant system specific and must be determined on a case by case basis D39 will be checked by the PS I amp C RO The PCDH rules to apply to SW deliverables are listed in Table 5 Additional details are given below SW storage v v SDD data deliverable D20 use the IO SDD repository see core CODAC user manual for the procedure to apply Mini CODAC configuration deliverables D26 and D72 use the IO SVN repository at https svnpub iter org codac iter codac icdev units see core CODAC user manual for the procedure to apply SW validation v Y SDD The SDD data must pass the integrity completeness and compliance validation of the SDD editor PLC R297 will be checked by compilation of the PLC user software on a STEP7 engineering station configured with the STEP7 version specified in PCDH The user software architecture of the PLCs wil
40. hall be made to the IO in writing following the procedures detailed in RD11 RD19 and RD12 The decision on the acceptance of the non conformance report shall be made by the plant system central I amp C responsible officer of the IO Design requirement checked during the design phase Any I amp C equipment which is non complaint to the PCDH requirements shall be subject to the Non Conformance Report Process described in the ITER Deviations and Non Conformances RD12 and RD19 Every non conformance shall be accompanied by an obsolescence management plan as suggested by IEC 62402 Apply to all campaigns Apply to all campaigns Apply to all campaigns 8 Deviations Policy R284 A deviation request shall include an alternative proposal including a justification of why I amp C specifications in this document or procurement document were not followed and a list of attachments R285 R286 which support the justification A non conformance report shall include the original requirement a description of the non conformance proposed remedial action and list of attachments which support the proposed remedial action Apply to all campaigns If the plant system responsible officer and plant system I amp C supplier if appropriate discovers that he had misinterpreted these technical specifications after signing the PA this shall not be accepted as an excuse for deviations from it R287 During execution of the procurement al
41. he responsibility of the PS mu RO with support from the CSD throughout the following If several PSH have been introduced for dealing with a plant system I amp C configuration delived in several PAs by different partners then these PSH shall be merged in only one at that point Y Execute the C4 campaign for functional requirements of all items checked in the SAT column in the spread sheet and all items not checked during the FAT See details in Section 7 6 Y Report the plant system I amp C test issues in the appropriate logging system still TBD fix the remaining issues Y Issue the plant system I amp C SAT report PCDH deliverable D65 Y Enable the active controls in the controllers the plant system I amp C is then considered as ready to complete the system tests under the responsibility of the plant system RO This point is beyond the scope of this document System connection to CENTRAL I amp C and preparation for integrated commissioning The unit of system connection for I amp C is the plant system I amp C After completion of the system tests the central I amp C systems are updated with the plant system I amp C data configuration for allowing the plants system I amp C to be operated from the Main Control Room MCR the plant system I amp C mini CODAC s used for plant system I amp C SAT are cancelled and removed from the plant system I amp C The PSH HW delivered in scope of the integration kit is removed from the plant system I amp C cubi
42. hecked during the design phase Design requirement checked during the design phase R248 with the SIL level required by the interlock functions mos essetis n with the assigned SIL level E eps the assigned SIL level R252 The programming languages and tools for interlock I amp C software shall comply with the assigned SIL level For the PLCs the safety R335 Design requirement checked Design requirement checked Design requirement checked Design requirement checked Interlock I amp C Software Specification during the design phase Design requirement checked during the design phase matrix and Continuous Functional Chart CFC shall be used The Interlocks can be enabled or disabled independently of the Plant BENESSERE Interlock I amp C Hardware Specification LE este assigned SIL level o me both SIL 2 SIL 3 PLCs amp C Design requirement checked Design requirement checked 5 o 5 9 S o qa o R257 The plant interlock system network shall comply with the assigned SIL level R336 Communication within the PIS slow controllers uses the ProfiSafe Design requirement checked during the design phase 4 Q Pj 2 Design requirement checked field buses during the design phase Page 33 of 35 ITER D 3VVU9W v4 6 PCDH Requirement Descriptio Comments FAT SAT section title 3 P a a
43. heir plant Check under PS RO responsibility system I amp C backup and storage by successive evolutions and the a for scope and procedure strategy to adopt in case of obsolescence Specification Plant System I amp C Architecture Mini CODAC Lam OSI layer 2 switch is the only plant system I amp C component that has E a physical interface with Mini CODAC during the design phase R54 The physical interface of the plant operation network between Mini CODAC and the plant system I amp C shall be a conventional Gigabit Ethernet connection GC The PSH shall be connected to the OSI layer 2 switch Design requirement checked Eu 70777 The PSH shall be integrated into the plant system I amp C Design requirement checked Re U TBC 19 rack and 500W power supply shall be allocated a for the PSH in one of the plant system I amp C cubicles during the design phase 4 2 1 Mini CODAC Design requirement checked during the design phase Plant System Host 4 2 2 Plant System Host R63 The interface between the PSH and the plant system controllers Design requirement checked shall be Ethernet during the design phase R64 al The PSH shall be configured by the plant system I amp C designers using WIE Design requirement checked the software kit supplied by IO during the design phase Page 27 of 35 ITER D 3VVU9W v4 6 PC
44. icscdssecsescseaosseosssecevessounussoscstnadesoosessvensteaswsacses 10 3 3 Performing FAT for I amp C systems eee eere eee eene seta seen na seo 10 4 Details of the assembly of procured equipment for I amp C systems sss 11 32 Details of SAT TOP IRC Systems 12 5 1 SAT objectives for I amp C P 12 5 2 Scope of SAT for plant system I amp C ccscccscssccccscccscccccsccccscccssscccsescsseseesseees 12 5 3 Performing SAT for plant system I amp C seesseoesoosssoesssesssecssoossoossoossssesssesssoossosseos 12 6 1 amp uaa d d ol oon ATE 14 6 1 1 14 6 2 Acceptance DEOCPSS 14 6 3 Acceptance criteria 15 7 Campaign details for Ad and 16 7 1 The PCDH requirement mapping matrix e eeee 16 7 2 Rules applicable to all campaigns ssesssesssocssoossooesssessscessoossoosssossssessseessoossosssos 17 7 3 Campaign C1 I amp C documentation sesesoossooessoesssesssocssoossoosssossssesssoessoossoossssssssee 18 7 4 Campaign C2 I amp C hardware isccccesissscsascscessesossscscsssnsseaeioesdacsooussseveisseedssssnscssendsceds 21 7 5 Campaign configurati
45. ign requirement checked monitoring logging and visualization provided by CODAC System during the design phase 2 3 Plant system I amp C mandatory functional requirements and site acceptance test Mini CODAC will be complemented by certified tools for PIS and PSS R15 Plant system I amp C shall have built in absolute limit protection to prevent local control and central control errors T ime critical devices shall have built in time outs to ensure correct operation in case of Central I amp C Systems failure Plant System I amp C Life Cycle Development during the design phase Check under PS RO responsibility for scope and procedure I amp C Obsolescence Management E Operation maintenance phase relevant only The latest PCDH version available shall be applicable when the PA is signed o E T R37 IO is committed to support old versions of PCDH standards Operation maintenance phase R 5 including the obsolescence management of those standards relevant only a 5 Every new I amp C equipment shall be documented in the same way as Operation maintenance phase Q 50 was required for the initial procurement relevant only 9 9 Training for operation and maintenance teams shall be included in Operation maintenance phase Oo the process of replacement if required relevant only E The plant system ROs shall define requirements for t
46. ign requirement checked during the design phase Design requirement checked during the design phase Design requirement checked during the design phase Design requirement checked during the design phase Design requirement checked during the design phase Operation requirement to be checked at integrated commissioning Operation requirement to be checked at integrated commissioning Operation requirement to be checked at integrated commissioning FAT SAT R109 Duration for unitary commands from CODAC networks to actuators Design requirement checked shall not exceed 1 sec during the design phase ITER D 3VVU9W v4 6 PCDH Requirement Description Comments FAT SAT section title p 2 x A Q A x amp Specification HMI Alarm handling Design requirement checked Design requirement checked during the design phase Design requirement checked Design requirement checked Design requirement checked Design requirement checked The core principles underline this alarm philosophy are the following Each alarm should be designed carefully according key principles Number of configured alarms per operator shall be fewer than 100 Alarm handling 4 4 10 The number of alarms during the first 10 minutes of a major plant upset shall be less than ten The alarm priority distribution is MAJOR 20 and MINOR 80 The average number of stan
47. ing the requirement In which of the C1 C2 C3 and C4 campaigns the requirement should be checked Where the check must be performed FAT or SAT An X indicates if the check is mandatory an O if optional or acceptable The procurement configuration is also considered at this stage see Section 2 3 for further details The PCDH requirement is identified by its PCDH section number title requirement deliverable identifier and description Table 1 provides an illustration of this mapping the PCDH R55 requirement is verified in the scope of the C4 campaign for I amp C equipment procured with configurations 1 and 2 only Therefore this requirement will be checked during SAT for procurement configuration 3 In addition a test is required and the severity level is assigned to 1 lt lt S PCDH Requirement Description Comments FAT SAT section title q P PCDH Req Severity level PCDH section Plant system I amp C Design Philosophy Plant System I amp C Life Cycle Specification Plant System I amp C Architecture Mini CODAC Design requirement checked during the design phase L a Design requirement checked during the design phase eee a physical interface with Mini CODAC The physical interface of the plant operation network between Mini CODAC and the plant system I amp C shall be a conventional Gigabit LI hernet connection The functional interface of the plant system I amp C
48. ion of the test specifications being used and for acceptance 8 ES f A ee equipment testing the version of the design specification being tested against shall be recorded 3 4 4 1 amp Factory Acceptance Tests R24 1 Includes the tools used to The procurement I amp C supplier shall provide all necessary hardware configure and maintain the and software tools and configuration files for FAT sensors and actuators Specification I amp C Naming Conventions en The following naming convention SD1 applies to I amp C signals and R69 g B gn rocess variables P Vs B P S a R68 The plant system function identifier shall be based upon a Control z 8 Breakdown Structure CBS and satisfy the following naming X en 8 5 convention d 2 E o E The variable identifier is a free string of 16 characters maximum VV VV provided the full name including the function identifier is unique within the whole ITER plant PS I amp C SW specifications Software Infrastructure Software Infrastructure Y The Operating System of the PS fast controllers is Red Hat Linux Operating 6 1 x86 64 desktop with workstation option Systems Programming Languages and Tools R115 The software versioning control tool shall be Subversion R297 6118 The CODAC supports following development tool chains BENE L Ix10 Table 5 Deliverables and rule
49. irement checked for performance reasons they will be dealt as deviations as stated in s A S s during the design phase chapter 8 In that case only binary information will be exchanged R243 id ia System Controllers shall comply with the assigned evel R333 The slow architecture is based on COTS industrial components Programmable Logic Controllers PLC Interlock I amp C Software Specification 12441 Interlock I amp C software shall comply with the assigned SIL level R245 The software specification shall describe in quantitative terms the performance criteria accuracy the time constraints response time and the dimensional constraints size of memory with the tolerances and the possible margins R247 The Interlock I amp C shall implement the following functions Detect anomalous situations on the basis of simple or complex algorithms from the measurement of field values the operational status of the monitored equipment and of the overall machine Generate protection events events and inhibits Command protection actuators operated on the basis of a set of conditions and events The performance shall be compatible with the SIL level required by the interlock functions The I amp C self diagnostics Diagnostic Coverage shall be compatible Design requirement checked Design requirement checked Design requirement checked Design requirement checked during the design phase Design requirement c
50. l functional requirements as specified in Section 7 6 On completion of FAT the FAT report PCDH deliverable D50 is issued by the I amp C SU and the test plan is also updated if required 4 Details of the assembly of procured equipment for I amp C systems The unit of assembly for any I amp C procurement is the I amp C cubicle the I amp C is considered as assembled when all I amp C cubicles are mounted and physically interfaced at their final location The goal of plant system I amp C assembly is then to connect and set up the I amp C cubicles with the CENTRAL I amp C infrastructure buildings power supplies and other services in order to get the plant system I amp C ready for the functional tests expected in SAT the procurement assembly phase is performed under the responsibility of the procurement supplier The following tasks will be completed on each plant system I amp C cubicle Y Configure the I amp C cubicle for mounting and cabling to prevent damage the fragile internal components are first removed see SD24 for details Y Install the I amp C cubicle at its final location in the ITER building v Cable the cubicle to the plant system equipment to the CENTRAL I amp C infrastructure networks to the main power supply and to any other system required Y Complete the configuration of the HW internal and enclosure if some equipment had been removed before mounting and cabling fragile component doors 1 All document deliver
51. l be checked against the PLC software engineering handbook SD10 Fast controllers R111 R112 and R118 for EPICS version and data communication apply R113 applies to the OS version FPGA R119 applies PSH mini CODAC R155 applies for the core system version Page 23 of 35 ITER D 3VVU9W v4 6 PCDH section title equirement description refer to the Test approved document for details req Comments FAT SAT 3 gt Ge B 5 gt d PCDH section Plant System I amp C Life Cycle urce code of any software developed for the plant system or D72 S de of any soft developed for the pl y Targets mainly IO standard operation factory acceptance test site acceptance test integrated es ais to be ened ena commissioning and maintenance in the scope of the PA x case by pur basis for specific X Configuration data for any plant system I amp C controller to be embedded downloaded ONES ss rx Lo D26 1 configuration developed in Mini CODA For FAT SAT and plasma environment required for factory acceptance test site acceptance lon tation X test and integrated operation B I amp C Factory Acceptance Tests I amp C manufacture 3 4 3 I amp C manufacture R23 2 For every test unit testing system and integration testing acceptance testing the version of the equipment being tested the Targets all configurable I amp C vers
52. l deviations from the technical specifications shall be reviewed and finally approved by Apply to all campaigns Apply to all campaigns 10 R288 IO shall consider the proposal on an expedited basis rot xt xx Apply to all campaigns R289 IO reserves rights to reject or accept such proposals Apply to all campaigns Table 2 PCDH rules applicable to all campaigns and types of procured equipment for FAT and SAT lt oe cejelele o gt WENI Page 17 of 35 7 3 ITER D 3VVU9W v4 6 Campaign C1 I amp C documentation Campaign purpose This campaign checks that PCDH rules applicable to the documents delivered in the scope of a procurement are met These documents are identified in PCDH as deliverables D31 D32 D34 038 D39 D40 D41 D42 D43 D44 D48 D60 and D71 They are all provided by the I amp C SU Campaign scope The relevant deliverables are identified in the PCDH as v Deliverable D31 is the relevant set of functional specifications of the I amp C system D31 covers the detailed description of the active controls and the monitoring of the plant system function This deliverable has a free format and is checked by the PS I amp C RO for completeness with respect to other technical specifications D31 covers all of the plant system functions including conventional interlock and safety functions in the scope of the PA and must be delivered for all configurations 1 to 3
53. l requirements checking the functional interface with central I amp C systems is specified in the plant system interface sheets for PBS45 to PBS48 CODAC Central Interlock Plant Control System and Central Safety System PCDH Section 5 2 provides the rules to apply It is assumed that the I amp C system is configured with a mini CODAC and PSH computers for testing of the functional interfaces with CENTRAL I amp C in order to comply with R52 R55 and R56 rules As a consequence the mini CODAC must be configured to implement all of the CENTRAL I amp C functions mentioned in the interface sheets With these boundary conditions the functional interface with CENTRAL I amp C systems is checked as follows State data simple commands and configuration data over PON This tests signal connectivity from signal interfaces in the I amp C cubicle up to the central I amp C operator interfaces During these tests the active controls are disabled at controller level to avoid any un expected automatic action which could potentially disturb the tests or even damage the plant system The test procedure is performed as follows o Inputs digital and analogue For each controller interface board the input signals are simulated at the signal terminal block level and the continuity of the data processing including any data treatment up to the mini CODAC display is checked The procedure to apply is TBD o Outputs digital and analogue and internal variables The asso
54. ll active controls are disabled at the controller level to avoid any unexpected automatic action which could potentially disturb the tests or even damage the plant system Y It is assumed that the component tests are performed with the mini CODAC Then the mini CODAC configuration will be adjusted to match the component test scenario Several mini CODAC systems might be required to execute the system tests depending on the complexity of the plant system I amp C these should be installed at the appropriate location defined by the PS I amp C RO Y Check the PSH hardware configuration Y Execute the C2 campaign for HW and C3 for SW for all items expected to be checked at SAT and all items not checked at FAT See details in Sections 7 4 and 7 5 Y Check the connectivity of the remote IO chassis with the CPU chassis for all controllers of the plant system I amp C this procedure is still TBD Y Report the plant system I amp C installation issues in the appropriate logging system details are still fix the remaining issues The plant system I amp C is then considered ready for the system tests Page 12 of 35 ITER D 3VVU9W v4 6 System tests The unit of system tests for I amp C is the plant system I amp C The plant system I amp C tests are part of plant system tests they concern the tests to be performed on plant system I amp C to get it ready to complete the system tests The plant system I amp C tests are performed by the I amp C SU under t
55. mp C Cubicles e R157 The I amp C cubicles shall be equipped with a monitoring system for To be checked at FAT but at doors temperature and cooling monitoring and the monitoring v I amp C Cubicles earlier stage for risk mitigation system shall be interfaced to the plant system I amp C Interlock I amp C Specification R332 The functional interface of the plant system I amp C shall be tested c Interlock I amp C with the Mini CODAC Architecture none X ME EN Table 6 Deliverables and rules for campaign C4 Page 26 of 35 ITER D 3VVU9W v4 6 8 PCDH rules not considered during FAT and SAT The following rules must be checked during the design and manufacturing phases They are assumed to have been met for the FAT and therefore will not be considered in the definition of FAT and SAT scenarios and any acceptance criteria PCDH Requirement Descripti Comments FAT SAT section title d p PCDH section PCDH Req o gt n Plant system I amp C Design Philosophy Plant system I amp C mandatory functional requirements R1 Plant system I amp C shall perform control of the plant system under Design requirement checked the authority of CODAC during any operating state during the design phase R2 Plant system I amp C shall comply with project wide supervisory control functions and central data handling functions i e archiving R3 Plant system I am
56. n writing following the procedures detailed in Design requirement checked RD11 RD19 and RD12 The decision on the acceptance of the during the design phase Deviations non conformance report shall be made by the plant system central Policy I amp C responsible officer of the IO BD IO reserves rights to modify these technical specifications during the execution of the procurement The consequence of such Design requirement checked modifications shall be mutually agreed between plant system I amp C during the design phase supplier and IO 9 PCDH requirements mapping matrix The following matrix gives the list of PCDH requirements addressed by each of the test campaigns described in the section I amp C matrix for FAT SAT and PCDH requirements DYY8R9 Page 35 of 35
57. ncoherencies in behaviour control or measurements conflicts between redundant equipment shall be reported to the operators The structure of the 1 amp shall ensure that common modes Design requirement checked mastered during the design phase If some equipment provides different level functions some devices shall be implemented to avoid the highest level equipment being supplied with electric defects from the lowest level equipment Design requirement checked during the design phase E Un The material segregation shall be associated with a functional segregation in order to avoid supplying incorrect information from a lower to a higher level The redundant process lines Shall be located in different areas and take into account the risks of mechanical stress fire or flooding If C Design requirement checked during the design phase R238 not shall be fitted with protective equipment to ensure that the redundant process lines shall not be affected by the same aggravating factors Shall be fitted with devices that avoid spreading electrical defects among redundant equipment Shall be fitted with ancillary systems power supply cooling device which have compatible redundancy levels Design requirement checked during the design phase An incident shall not lead to the loss of several redundant process lines Requirements attached to the design phase to be checked during Th
58. ny procurement package 1 design phase for definition of the technical requirements 2 Amanufacturing phase which includes Factory Acceptance Tests FAT at supplier premises 3 Anintegration phase which comprises the following sub phases a Installation on ITER site b Site Acceptance Tests SAT testing all procured plant systems connected together c Integrated commissioning to test of the complete plant system once it is functionally and physically integrated with the CENTRAL I amp C infrastructure and other plant systems 4 Plant system operation In the ITER procurement model a plant system is split into one or several procurement packages delivered as contributions in kind by DAs or purchased from IO suppliers Following the plant system design phase an approved design is agreed by DA and IO in kind procurement only and each procurement package follows its own life cycle for phases 2 and 3a Then the procurement package is tested as an integrated system at the time of the SAT As a general rule I amp C equipment HW SW required to control the procurement package is included in a part of the procurement deliverables Therefore PCDH requirements apply on this I amp C equipment and shall be considered at FAT and SAT as a part of the approved design requirements Therefore only PCDH requirements are considered in that document 2 2 Plant system I amp C integration model The unit of integration into CODAC systems is the plant
59. on data and softWware eesssoessoesssessscsssoeesoossoossssssssee 23 7 6 Campaign C4 I amp C functional requirements sccccsscccssscccsssccscsscsscsseseesseees 25 8 rules not considered during FAT and SAT sss 27 9 PCDH requirements mapping eie rait Quae better du dad egt 36 Page 2 of 35 ITER D 3VVU9W v4 6 1 Introduction 1 4 Document purpose This document part of the Plant Control Design Handbook PCDH satellite documents package is a handbook for specifying the procedures for the Factory Acceptance Tests FAT and Site Acceptance Tests SAT for plant I amp C systems Chapter 2 describes the integration model for I amp C systems chapter 3 provides details for the FAT chapter 4 is dedicated to I amp C assembly chapter 5 provides details for the SAT chapter 6 proposes acceptance criteria but these must be aligned with the IO criteria when they are available chapter 7 provides technical details for the test procedures chapter 8 list the requirements to be checked at design and manufacture phase and chapter 9 provide the complete PCDH requirement mapping matrix for FAT and SAT PCDH comprises a core document which presents the plant system I amp C life cycle and recaps the main rules to be applied to the plant system I amp Cs for conventional controls interlocks and safety controls Some I amp C topics are explained in greater detail in dedicated documents a
60. ormed in the order as described in this document The campaign C1 does not require any attendance of the PS I amp C RO at the FAT site since it may be performed remotely by IO using the deliverable documents C1 is performed by the PS I amp C RO with the support of CSD The campaigns C2 C3 and C4 require the attendance of the PS I amp C RO at the FAT site and the support of CSD but will be prepared at IO premises using the PCDH deliverable documents and the bill of materials C2 to C4 are performed by the I amp C SU See details in Sections 7 4 7 5 and 7 6 How to perform the campaigns in the scope of a FAT Cl Upload the deliverable documents in IDM EDB details are still TBD and proceed to the review them as specified in Section 7 3 for all items checked in the FAT column of the I amp C matrix C2 Check the deliverables D18 I amp C cubicles D19 spare parts for I amp C and D79 any specific maintenance tools required as specified in Section 7 4 for all items checked in the FAT column of the I amp C matrix C3 Check the deliverables D20 D26 SDD configuration data and D72 all I amp C user software D74 the SW tools required for the PS maintenance as specified in Section 7 5 for all items checked in the FAT column of the I amp C matrix C4 Check the deliverable D39 HW and SW installation procedure by executing D39 for complete HW and SW installation as specified in Section 7 6 Check the Central I amp C interfaces and al
61. p C shall make available all data acquired from sensors actuators with a time stamp to Central I amp C Systems for Design requirement checked analysis archiving logging monitoring and visualization The A MS 7 during the design phase principle of no hidden data is applicable for all plant systems I amp C there shall be no permanent local storage of data R4 Plant system I amp C shall provide status information for common operating states plant system operating state alarm conditions trip Design requirement checked conditions and corrective actions control system set points and during the design phase power supply status information that is required to operate the plant system I amp C from Main Control Room MCR R5 Plant system I amp C shall be designed to be configurable from MCR Design requirement checked using its self description data during the design phase ant system shall be operated centrally from 3 esign requirement checker R10 1 amp shall be fi MCR Design requi hecked during the design phase R11 Permanent local control rooms are forbidden There are two Design requirement checked exceptions to this rule remote handling and tritium plant during the design phase R12 Plant system I amp C shall use Mini CODAC as a tool for plant system software development support integration factory acceptance test Design requirement checked Des
62. quired by the AVN interface is Page 31 of 35 ES S E an x e a PCDH section title Specification ITER D 3VVU9W v4 6 Requirement Description Comments FAT SAT PCDH Req Severity level Interlock I amp C Specification Introduction Introduction Each function carried out by a plant system interlock I amp C shall be defined characterized and classified according to the guidelines given in this chapter or by an equivalent method Each function shall be described with at least the following fields Protection function name define a name or unique identifier Protection function description a textual summary description of the function Sensors indicate what type and number of measurements are required for the function Interlock logic Design requirement checked during the design phase describe the interlock logic required for the function Actuators indicate what type and number of actuators are required for the function Protection of machine indicating which machine Design requirement checked during the design phase component is protected Risk to protect indicating which risk is being yes with this function Risk description a summary description of the risk being yes with this function Risk class Assign a class on the basis of the risk analysis and the Table 9 2 1 and Table 9 2 2 Each function shall be given a functional safety classification in the fo
63. r ITER is defined in the IT ER Numbering System for Parts Components see RD3 This naming convention is applicable R65 Components Naming to any component of the plant system I amp C nventions __ 1 The component naming convention as defined in the previous section applies to the component identifier Non functional Requirements R105 1 Additional reserve slots not equipped per backplane type shall be more than 20 R106 Additional reserve I O channels not equipped per type shall be more than 20 R107 Additional reserve I O channels equipped per type shall be more ione X than 5 Plant System I amp C Hardware Specification 4 4 3 1 x Non functional lt Requirements Plant System Slow Controller R132 1 Slow controllers shall use the Siemens Simatic S7 300 or S7 400 To be checked at FAT but at ranges x earlier stage for risk mitigation Plant System Fast Controller a R133 Fast controllers shall be based on PCI Express I O bus system be checked at FAT but at Fast Controller x earlier stage for risk mitigation I amp C Cubicles en R157 The I amp C cubicles shall be equipped with a monitoring system for checked ax ATG B t DAE be checked at ut at I amp C Cubicles doors temperature and cooling monitoring and the monitoring X barlier stage fai risk mitigation system shall be interfaced to the plant system I amp C I amp C Signal Cabling Rules To
64. ration factors for the sensors and the actuators used in the I amp C controllers These calibration factors are part of the plant system configuration data See PCDH and SDD for details D42 may be part of D40 and is checked by the PS I amp C RO Deliverable D43 D43 is an extension of D40 and concerns the documents issued during the manufacturing phase by the I amp C SU specifying the installation operation and maintenance Therefore these documents are procurement specific and mainly cover procedures and user Page 18 of 35 ITER D 3VVU9W v4 6 manuals They are checked by the PS I amp C RO with the support of CSD for everything linked to CENTRAL I amp C interfaces and services Y Deliverables 044 and 071 concern the short term 044 and long term maintenance and obsolescence management D71 for any I amp C equipment not compliant with PCDH standards It is assumed that CSD will manage obsolescence issues related to PCDH standards for HW and SW Therefore the I amp C SU must propose a solution or at least a roadmap to resolve the obsolescence problem for any non compliant equipment during its life cycle on ITER plant D44 and D71 are checked by the PS I amp C RO with support from CSD Y Deliverable 048 these are the certificates of conformity concerning regulations applicable at ITER site for the I amp C equipment D48 checking may be incorporated with checking of any other procurement equipment non I amp C included The PCDH rules appli
65. rm of a safety integrity level SIL based on an established SIL assignment method IEC 61508 The following technical performance requirements shall be identified for each function RAMI parameters Reliability Availability MTTR Maximum execution time For each function the list of environmental and or physical constraints shall be identified Space constraints Ionizing radiation S Design requirement checked during the design phase S Design requirement checked during the design phase Design requirement checked fields Electromagnetic environment ATEX requirements during the design phase E N N When a function is allocated to a level of requirements then the whole equipment necessary to the achievement of this function shall observe the corresponding requirements If an equipment is involved in functions of different levels then either the equipment shall be part of the highest level it contributes to or measures shall be taken to physically and electrically isolate Design requirement checked during the design phase Design requirement checked during the design phase the highest safety level part The complexity of the I amp C shall be restricted to the minimum required The material organization of the I amp C shall allow the containment of the most important functions for interlock within a perfectly identified physical entity Design requirement checked during the design phase
66. rogress and resolution of the issue The life cycle of the issue sheet must have at least e Open the issue sheet has been created and contains the full description of the issue e Fixed the root causes of the issue have been identified and the corresponding fix has been delivered e Validated the fix has been successfully re tested including non regression tests If the delivered fix doesn t pass the validation the issue sheet status moves back to Open The Issue Sheet must record all the information related to the investigation of the root cause of the issue and all the remedial actions throughout its lifecycle 6 2 Acceptance process IO and DA representatives DA for in kind procurements attend the FAT and SAT for campaigns C2 C3 and C4 An acceptance test plan will be issued by the I amp C SU A template for the test plan and report covering the scope of I amp C is available at FAT SAT plan and report for I amp C ATCLA4 The result of the execution of the FAT and SAT plans for I amp C is recorded in the FAT and SAT reports PCDH D50 and D65 respectively which indicate Y The result of each test campaign part of the test plan Fully Passed the campaign is complete and all the scenarios have been successfully executed Partially Passed the campaign is complete but some of the scenarios failed Blocked an issue encountered in a certain scenario prevents the completion of the campaign Not Executed the campaign h
67. s for campaign C3 R119 Page 24 of 35 ITER D 3VVU9W v4 6 7 6 Campaign C4 I amp C functional requirements Campaign purpose This campaign aims to check that the PCDH rules related to functional requirements of the plant system I amp C systems are met A prerequisite of the C4 campaign is the completion of campaigns C1 to C3 since the deliverables associated with them are required for C4 execution Campaign scope The relevant deliverable identified in PCDH for the installation of the plant system I amp C is D39 In addition to D39 check the tests of the functional interfaces between Central I amp C systems and the equipment are performed The tests related to the active control of the plant system equipment are beyond the scope of this document These tests may be performed after the C4 campaign at the request of the procurement RO In such a case they will be specified and executed under the responsibility of the procurement RO The PCDH rules to be checked in the scope of C4 are mentioned in the Table 6 These rules will be checked by the PS I amp C RO with the support of the IO CSD and will comprise e Deliverable D39 checking D39 is the procedure for installation of all hardware and software packages provided in the scope of the PA The procedure D39 is checked against an IO template for completeness in the scope of the campaign and is checked for HW and SW installation suitability in the scope of the C4 campaign e Functiona
68. shall be tested wath the Mini CODAC x x oh i 1 ERE e software components delivered with the plant system I amp C that Target standard T amp C equipment will be integrated into the CODAC System shall be tested with Mini X X 1 on CODAC y Table 1 Illustration of the mapping matrix The complete matrix is given in chapter 8 4 2 1 Mini CODAC X ne X 5 Page 16 of 35 ITER D 3VVU9W v4 6 7 2 Rules applicable to all campaigns The rules mentioned in the Table 2 address the management of deviations from PCDH requirements and are applicable to the complete I amp C system life cycle including FAT and SAT See PCDH for further details PCDH F E Requirement Description Comments FAT SAT section title q PCDH Req Severity level 9 2 ie i9 amp Plant system I amp C Design Philosophy Plant System I amp C Life Cycle Specification Interface Specification between Plant System I amp C and Central I amp C systems Interlock I amp C Specification R283 1 The plant system responsible officer and plant system I amp C supplier if appropriate has to provide and pay for special integration and additional maintenance including spare parts for non standard equipment Safety I amp C Specification Deviations Policy Requests for deviations from and non conformance with the requirements of the ITER Plant Control Design Handbook s
69. ssociated with PCDH These are presented in Figure 1 1 and this document is one of them PCDH core and satellite documents v7 NUCLEAR PCDH 2YNEFU Legend Expected XXXXXX IDM ref Figure 1 1 PCDH document package Page 3 of 35 1 2 Acronyms ITER D 3VVU9W v4 6 AI Analogue Input AO Analogue Output CENTRAL I amp C Addition of PBS45 46 and 48 CIN Central Interlock Network CIS Central Interlock System CODAC COntrol Data Access and Communications COS Common Operating State COTS Commercial Off The Shelf CPU Central Processing Unit CSN Central Safety Networks CSD Control System Division of IO DA Domestic Agency DI Digital Input DO Digital Output EMC Electro Magnetic Compatibility EPICS Experimental Physics and Industrial Control System FAT Factory Acceptance Test HPN High Performance Networks HW Hardware equipment or part I amp C Instrumentation amp Control I amp C SU I amp C Supplier IEC International Electro technical Commission I O Input Output IO ITER Organization NTP Network Time Protocol PA Procurement Arrangement PCIe Peripheral Component Interconnect express PIS Plant Interlock System PCDH Plant Control Design Handbook PLC Programmable Logic Controller PON Plant Operation Network PS Plant System PSOS Plant System Operating State Page 4
70. st be provided and maintained during all life cycle 1 amp Acceptance Tests 1 amp Obsolescence Management a I amp C D71 2 A proactive management plan for obsolescence describing the Obsole strategies for identification and mitigation of the effects of Targets the non standard X solescence obsolescence throughout all stages of I amp C life cycle X equipment Management I amp C Documentation a All documentation shall be in the English language gt ITE z AII documentation shall be available in editable electronic format PDF Open Document XML format or Microsoft Word and in an online version which is accessible using IO product lifecycle ines management system R45 AII documentation shall be under version control R46 2 For every item including a party and COTS the original a documentation shall be delivered Table 3 Deliverables and rules for campaign C1 3 4 11 De 1 amp Documentation Page 20 of 35 7 4 ITER D 3VVU9W v4 6 Campaign C2 I amp C hardware Campaign purpose This campaign checks the PCDH rules applicable to the I amp C hardware HW are met No I amp C cubicle powering or tests are required for C2 campaign The HW deliverable acceptance is granted subject to a limited number of PCDH rules assuming other relevant rules have been checked during design and manufacture phases Campaign scope The C2 scope is the HW delivered in scope ofthe PA D18 D19 and D74
71. system specific components non standard components I amp C manufacture 1 Original technical documentation for each piece of equipment or component including software used to manufacture the systems in an I amp C cubicle 1 Schematic diagrams of the full signal path from the sensors actuators to the I O boards of the controllers including powering and conditioning with identification of test points for fault analysis or calibration and identification of the terminal blocks Trouble shooting procedures and functions Calibration factors for each sensor actuator conditioner I O board D42 and procedures for re calibration of these components JEDER NES DINE D43 D48 Technical documents manuals and procedures required for maintenance of any I amp C component Maintenance plan detailed warranty and or maintenance periods and their possible extensions licensing requirements Certificates of conformity for I amp C procurement to any regulation SEO applicable on ITER site and proof of compliance to ITER I amp C X none standards I amp C Factory Acceptance Tests e o 1 The results of FAT shall be recorded and retained in the lifetime Q 2 records of the ITER plant Any failures during FAT shall be 55 SM investigated and the cause and rectification of the failure 5 x none d o documented in the FAT report A complete bug report problems en 9 E d lt and fixes mu
72. t No SW deliverable tests are required for the C3 campaign the SW deliverable acceptance is granted subject to a limited number of PCDH rules assuming other relevant rules have been checked during design and manufacture phases Campaign scope The relevant deliverables are identified in the PCDH as D20 D26 D72 and D74 they are all provided by the I amp C SU v Deliverable D20 comprises the Self Description Data as described in PCDH Section 4 4 6 and SD4 The SDD includes references to signals variable and process variables PV The content of D20 is checked against the configuration and naming conventions for I amp C components signals and variables network configurations see the associated rules in Section 4 3 1 of PCDH D20 must be delivered using the dedicated CODAC SDD editor D20 includes the implementation of COS and the mapping of COS with the specific PSOS D20 is checked by the the PS I amp C RO with the support of IO CSD Deliverable D26 comprises the HMI configuration of the mini CODAC archiving and alarm handling required for future operation using CENTRAL I amp C systems and infrastructure In addition D26 includes what is required to perform the SAT and FAT as described in this document see Chapters 3 and 5 D26 must be delivered using the dedicated tool kit of the core CODAC version in use at FAT date D26 is checked by the the PS I amp C RO with the support of IO CSD Deliverable D72 gathers all user software speci
73. the system functions of system breakdown detection Specification Design requirement checked during the design phase Once Occupational risk is eliminated the operator has to reset the function to re authorize the use of the actuator It is not possible to PSS OS shall integrate system diagnostic functions with auto diagnostic capabilities PSS OS shall integrate signal diagnostic functions PSS OS shall integrate maintenance override functions PSS OS communicate all safety events to the Central Safety System The logging data shall include System management shall be performed with safety dedicated safety The performance shall be compliant with the SIL level IEC 61508 The I amp C self diagnostics Diagnostic Coverage shall be compatible with the SIL level R349 LESS NN Safety Matrix R351 Occupational Safety functions should be operational in all ITER operational states and could be disabled only when the absence of risk can be demonstrated for both SIL 3 PLCs IEC 61508 07 e between PSS process and up to the CODAC hutch power supply and Class IV power supply R358 Occupational Safety system components shall be accredited for to the identified environment al constraints and be installed in locations where environmental conditions are yes by this accreditation of the equipment R359 Where increased environmental hazards are imposed on I amp C equipment by th
74. tral I amp C systems All binary state changes e g valve opened or closed All events concerning an analogue variable or a group of analogue variables threshold overshooting out of range discrepancy All variable validity changes All actions done locally by operators log on off local commands variable tagging or forcing All local alarm acknowledgements Design requirement checked during the design phase 4 4 1 Functional requirements Remote control functions shall be available reboot configure start R87 Design requirement checked during the design phase Design requirement checked Design requirement checked Design requirement checked during the design phase stop switch to local central control mode These functions shall comply with the security rules of the ITER site The plant system I amp C shall be monitored in a homogeneous way in The monitoring function shall encompass monitoring of plant The plant system I amp C shall be synchronised with ITER central time The equipment to be monitored shall include at least Environment R88 JBE within cubicles PSH hardware software Plant system controllers I amp C networks CODAC system interface in order to take local Any monitored equipment and function shall supply status information with one of the following exclusive values Fully R92 Design requirement checked operational Partly operational which means
75. ts R373 For performance test purpose the plant system I amp C shall be tested under a scenario and acceptance criteria provided by the ITER plant system RO This shall include the individual tests of every Check under PS RO responsibility plant system I amp C function with the real process connected to the for s scope and procedure plant system I amp C and the test of the plant system as a complete autonomous system without any interaction with Central I amp C Systems Specification Plant System I amp C Architecture Mini CODAC x LEER iu rue E System The functional interface of the plant system I amp C shall be tested aris Min CODAC with the Mini CODAC X R56 The software components delivered with the plant system I amp C that Target standard I amp C equipment will be integrated into the CODAC System shall be tested with Mini X out X CODAC y PS I amp C SW specifications Functional requirements R77 The plant system I amp C shall beable to autonomously maintain safe Functional requirement to be aA operation of the plant system in case of loss of central I amp C systems X checked at SAT Functional or I amp C networks not applicable to PSS 4 8 The start up strategy shall take into account the current state of the requirements R78 Functional requirement to be process and the presence absence of the CODAC system not X checked at SAT checked at applicable to PSS I a
76. ture 5 3 Performing SAT for plant system I amp C To make a complete check of the installation procedure all of the software and configuration data installed in controllers mini CODAC systems and PSH in the scope of the FAT will be deleted The equipment will be re installed from scratch using CENTRAL I amp C procedures for systems CENTRAL I amp C source repository SVN files configuration data and the PCDH deliverable D39 for the plant system I amp C installation procedure Component tests The unit for component tests is the I amp C cubicle of the plant system I amp C The goal of I amp C cubicle tests is to check the physical interfaces with CENTRAL I amp C buildings power supplies and other services in order to get the plant system I amp C ready for the system tests the component tests are performed by the I amp C SU under the responsibility of the PS I amp C RO with support from the CSD throughout the following v Carry out the electrical hazard safety inspection to obtain authorization for cubicle powering proceed to cubicle powering check the cubicle cooling system Once this has been done the I amp C cubicle is considered as ready for the next step v When all plant system I amp C cubicles are ready check the network configuration and connectivity of all controllers PSH included for PON TCN SDN AVN DAN CIN and CSN Download the SW configurations required for these tests to the I amp C controllers From that point a
77. ty level has been assigned to each PCDH requirement to be verified during the FAT and SAT see Section 6 1 for further details The details of the campaigns are given in the Chapter 7 of this document A mapping between the PCDH requirements and the campaigns is proposed in the Excel file incorporated in Chapter 9 3 3 Performing FAT for I amp C systems Preparing FAT in IO For each PA the following tasks will be performed by IO for testing the PA interfaces with the central I amp C systems Y Setup the suitable plant system I amp C HW architecture matching the PA configuration with all controller CPU chassis connected physically to the central I amp C networks in IO lab no remote IO chassis is required provided there is no central I amp C interface expected in the remote IO chassis The mini CODAC and the PSH are parts of the architecture Y Check the configuration data and procedure of installation PCDH deliverables are identified for each The versions of software and SDD deliverables stored in IO repository are used Y Test the PA central I amp C interface The test procedure to apply is still TBD For the complete plant system I amp C Y Setup the complete plant system control system HW architecture as for PA testing Y Test the functional links in between PAs involved in the plant system I amp C Page 10 of 35 ITER D 3VVU9W v4 6 Performing FAT at supplier premises For efficiency it is recommended that the campaigns are perf
78. ubicles and junction boxes shall depend on the functional requirements and shall be chosen so as to allow ease of access for initial installation and for later routine maintenance 4 5 7 Page 30 of 35 E PCDH z section title 5 A Specification 24 x a e n ITER D 3VVU9W v4 6 Requirement description refer to the Test Comments FAT SAT approved document for details req Interface Specification between Plant System I amp C and Central I amp C systems Functional Interface Functional Interface Physical Interface Physical Interface The plant system I amp C shall implement a functional interface to Design requirement checked central CODAC systems compliant with the I amp C requirements as a during the design phase expressed in the chapter 4 of that document Plant system I amp C shall implement an interface read and write data 2 i K Design requirement checked with sampling rates to Synchronous Databus Network see section during the design phase 5 3 6 for plasma feedback control if applicable Plant system I amp C shall implement an interface to Time r ae E Design requirement checked Communication Network see section 5 3 7 if high accuracy during the design phase synchronization is required Plant system I amp C shall implement an interface to Audio Video Design requirement che
79. with limitations with during the design phase respect to design parameters performance RAMI OLC Not operational R93 Information on equipment performance shall be monitored Performance information such as field bus CPU load memory usage or network bandwidth utilisation shall be recorded for capacity planning The plant system I amp C events shall be reported in the logging and R94 Needs the whole conf of PS I amp C also alarms This information shall also be propagated to the to be checked CODAC system Design requirement checked during the design phase The plant system shall be able to send acquired or computed information to the CODAC system in either raw data or in R97 Design requirement checked during the design phase engineering units with conversion formula Any configuration of parameters shall be possible with minimum disturbance to the rest of the plant system I amp C and underlying R98 Design requirement checked during the design phase process Page 28 of 35 PCDH section title PCDH section Specification Severity level E E a S Non functional Requirements 4 4 2 E E 5 5 o c g 3B o g S 2 Software Infrastructure Software st Infrastructure Self Description Data 8 a g m G x Q n Operating States Control Mode Control Mode 4 4 8 E R103
Download Pdf Manuals
Related Search